Latest news about information security threats and incidents
Prevention of security threats and incidents described below is wiser and cheaper than forensic investigations and mitigation of the consequences of a cyber attack.
You can get evidence of this fact from the news below.
Use our services to find and mitigate your security vulnerabilities before the security threat agents find them.
Update Google Chrome Browser to Patch New Critical Security Flaws
Google has released an urgent software update for its Chrome web browser and is urging Windows, Mac, and Linux users to upgrade the application to the latest available version immediately. Started rolling out to users worldwide this Wednesday, the Chrome 77.0.3865. More details.
Posted on 22 September 2019 6:26 am
Iran Denies Successful Cyber Attacks On Oil Sector - RadioFarda
Tehran, Sept 21, 2019 (AFP) Iran denied on Saturday its oil infrastructure had been successfully attacked by a cyber operation, after reports of disruptions to the sector online. "Contrary to Western media claims, investigations done today show no successful cyber attack was made on the country's.... More details.
Posted on 22 September 2019 5:35 am
Attackers use Single Sign-On in Phishing pages used to steal credentials
Malicious pages have been reported to leverage Single Sign-On (SSO) to steal users’ credentials. This form of phishing attack has grown with the popularity and ease of SSO among widely used websites. What is Single Sign-On? Single Sign-On (SSO ) allows users to use a set of credentials to log into multiple applications. More details.
Posted on 21 September 2019 6:21 pm
CISA Releases Four New Insights Products
Original release date: September 20, 2019 The Cybersecurity and Infrastructure Security Agency (CISA) has released four new CISA Insights products informed by U.S. intelligence and real-world events. Each of the following products provides a description of the threat, lessons learned,.... More details.
Posted on 21 September 2019 2:18 pm
How Auto Supplier Harman Learned To Fight Cyber Carjackers - NDTVAuto.com
When researchers remotely hacked a Jeep Cherokee in 2015, slowing it to a crawl in the middle of a U.S. highway, the portal the hackers used was an infotainment system made by supplier Harman International. Harman, now part of Samsung Electronics, has since developed its own cyber security product,.... More details.
Posted on 21 September 2019 9:38 am
Iran says it will destroy any aggressor
Hossein Salami says the Guard will seek and destroy those who attack Iran. (Reuters pic) DUBAI: Iran will pursue any aggressor, even it carries out a limited attack, and seek to destroy it, the head of the elite Revolutionary Guards said on Saturday, after attacks on Saudi oil sites which Riyadh and US officials blamed on Tehran. More details.
Posted on 21 September 2019 9:09 am
Cyber attack risk ‘growing’ in food supply chains
has warned. new report Contaminated food, physical harm to workers, destroyed equipment, environmental damage and huge financial losses for food companies are among the potential consequences outlined in the study by the Food Protection and Defense Institute at the University of Minnesota. More details.
Posted on 21 September 2019 1:53 am
Davenport University Gets $4M Cybersecurity Training Grant
Since 2011, Davenport University has been designated as a National Center of Academic Excellence in Cyber Defense Education by the National Security Agency and the Department of Homeland Security. (TNS) Michigan's Davenport University received a five-year, $4 million grant from the National.... More details.
Posted on 20 September 2019 10:29 pm
Report: UK Universities Vulnerable to Cyberattacks
U.K. universities will continue to face cyberattacks from nation-state actors and organized criminal gangs in the years ahead, according to a new report issued by the National Cyber Security Center , which calls on schools to take defensive measures. See Also: 10 Incredible Ways You Can Be Hacked.... More details.
Posted on 20 September 2019 10:16 pm
Accused JPMorgan Chase Hacker Plans to Plead Guilty
A Russian man accused of perpetrating the biggest heist of customer bank data in U.S. history intends to plead guilty to charges filed against him, according to court documents. See Also: 10 Incredible Ways You Can Be Hacked Through Email & How To Stop The Bad Guys Andrei Tyurin, 36, was extradited.... More details.
Posted on 20 September 2019 10:15 pm
Payouts from insurance policies may fuel ransomware attacks
CHICAGO (AP) — The call came on a Saturday in July delivering grim news: Many of the computer systems serving the government of LaPorte County, Indiana, had been taken hostage with ransomware. The hackers demanded $250,000. No way, thought County Commission President Vidya Kora. More details.
Posted on 20 September 2019 8:51 pm
How the Air Force has reorganized its cyber staff
Lt. Gen. VeraLinn Jamieson, the deputy chief of staff for intelligence, surveillance, reconnaissance and cyber effects operations, said at the annual Air, Space, Cyber conference Sept. 18, that the new plan will help guide funding, resourcing, training and capabilities for Air Force cyber offices. More details.
Posted on 20 September 2019 7:13 pm
Lawmakers Urge New National Security Adviser to Restore White House Cyber Coordinator
A pair of lawmakers demanded the Trump administration’s new national security adviser reinstate an executive-level cybersecurity position that his predecessor John Bolton eliminated last year. Soon after President Trump tapped the State Department chief hostage negotiator Robert O’Brien to take over as national security adviser on Tuesday, Sen. More details.
Posted on 20 September 2019 6:48 pm
Stratford city hall paid hacker $75,000 in Bitcoin to end cyber attack - The London Free Press
STRATFORD The cyber attack that forced Stratford city hall to pay a hacker $75,000 in Bitcoin shows the local government wasn’t properly protecting itself and should be a wake-up call to other municipalities, an expert says. City hall officials say they paid 10 Bitcoins a digital currency used to.... More details.
Posted on 20 September 2019 6:39 pm
Facebook has suspended ‘tens of thousands’ of apps suspected of hoarding data
has suspended “tens of thousands” of apps connected to its platform which it suspects may be collecting large amounts of user profile data. That’s a sharp rise from the 400 apps flagged a year ago by the company’s investigation in the wake of Cambridge Analytica , a scandal that saw tens of millions.... More details.
Posted on 20 September 2019 6:15 pm
HP bolsters endpoint security with Bromium acquisition
Founded in 2011 by former Citrix executives, Bromium has specialised in deploying virtualisation to provide endpoint security. Bromium's technology forms the basis for HP's Sure Click malware protection, which is a staple of HP commercial PCs. Sure Click prevents malware from leaving browser tabs.... More details.
Posted on 20 September 2019 5:20 pm
Mac Malware that Spoofs Trading App Steals User Information, Uploads it to Website
IT Security news and articles about information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, breaches. We recently found and analyzed a malicious malware variant that disguised itself as a legitimate Mac-based trading app called Stockfolio. More details.
Posted on 20 September 2019 5:00 pm
Other Attackers Reuse Old Magecart Domains: Report
Researchers Say Widespread Web-Skimming Attacks Spawn Secondary Cybercrime Market September 20, 2019 Decommissioned domains that were part of the pervasive Magecart web-skimming campaigns are being put to use by other cybercriminals who are re-activating them for other scams, including.... More details.
Posted on 20 September 2019 4:59 pm
How to protect your company’s backups from ransomware
There’s just one problem: backups are not immune to ransomware. Increasingly advanced ransomware strains contain mechanisms that are designed to seek out and encrypt backups that are stored both locally and in the cloud. And, if a company’s backups get encrypted, it In this article, we’ll show you.... More details.
Posted on 20 September 2019 4:38 pm
Cybersecurity Platforms: 8 Must-Have Attributes
Defending enterprises against the growing frequency and complexity of cyberattacks is becoming an ever-increasing burden to cybersecurity budgets and manpower. An ESG enterprise-class cybersecurity technology platform white paper commissioned by McAfee shows CISOs have “reached a tipping point where.... More details.
Posted on 20 September 2019 4:27 pm
Ransom notes shoot out of school printers but district denies hackers their prize
Ransomware operators have breached yet another school district in the United States, demanding ransom to unlock the district’s data. But this time, the district was prepared. Ransom notes started shooting out of printers in the Ava School District in the State of Missouri earlier this week, reports local news station KY3 . More details.
Posted on 20 September 2019 3:03 pm
Senator Warner seeks "grand alliance" to protect against surveillance threat from China’s tech dominance
When it comes to technology policy, Senator Mark Warner (D-VA), Vice Chairman of the Senate Intelligence committee, is clearly concerned about the power China holds, particularly when it comes to trusting China’s leading tech suppliers and the prospect of a China-dominated build-out of global 5G networks. More details.
Posted on 20 September 2019 1:58 pm
What is OAuth? How the open authorization framework works
Since the beginning of distributed personal computer networks, one of the toughest computer security nuts to crack has been to provide a seamless, single sign-on (SSO) access experience among multiple computers, each of which require unrelated logon accounts to access their services and content. More details.
Posted on 20 September 2019 10:19 am
Separate law, budget needed for cyber security: DCA head
PUNE: Rear Admiral Mohit Gupta, head of the newly created Defence Cyber Agency (DCA), said on Thursday that the country needs a separate law, budgetary allocation and a task force to tackle cyber crime at the national level. He also informed that a cyber security strategy for the country was in the works. More details.
Posted on 20 September 2019 10:18 am
Critical Vulnerability in Harbor let Hackers to Escalate Privilege by Sending Malicious Request
Harbor is a cloud-native registry that offers rich functions in container management that stores signs and scan images for vulnerabilities. It can be integrated with Docker Hub, Docker Registry, Google Container Registry, and other registries. Security researchers from the cloud division of Unit 42.... More details.
Posted on 20 September 2019 8:03 am
Magecart attackers target mobile users of hotel chain booking websites
Posted on 20 September 2019 7:14 am
CVE-2019-11211 (enterprise_runtime_for_r, spotfire_analytics_platform_for_aws)
Current Description. The server component of TIBCO Software Inc.'s TIBCO Enterprise Runtime for R - Server Edition, and TIBCO Spotfire Analytics Platform for AWS Marketplace contains a vulnerability that theoretically allows an authenticated user to trigger remote code execution in certain circumstances. More details.
Posted on 20 September 2019 7:03 am
Smominru Botnet Hacked 90,000 Windows Computers in Last Month Using EternalBlue Exploit
Threats actors behind the Smominru botnet compromised nearly 90,000 windows computers in last month using EternalBlue exploit and performing brute force attacks on MS-SQL, RDP, Telnet services. Researcher uncovered that the botnet infected more than 4000 systems, network daily, and take control of.... More details.
Posted on 20 September 2019 4:42 am
How organizations view and manage cyber risk - Help Net Security
Amid a wider range of issues to handle, a majority of board members and senior executives responsible for their organization’s cyber risk management had less than a day in the last year to spend focused on cyber risk issues, the 2019 Marsh Microsoft Global Cyber Risk Perception Survey results have revealed. More details.
Posted on 20 September 2019 4:34 am
ACT government and AustCyber launch Canberra Cyber Security Innovation Node
IT Security news and articles about information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, breaches. ACT government and AustCyber launch Canberra Cyber Security Innovation Node. More details.
Posted on 20 September 2019 4:17 am
FedEx execs: We had no idea cyberattack would be so bad. Investors: Is that why you sold $40m+ of your own shares?
Shareholders NotHappy stock offloaded in NotPetya aftermath. FedEx execs not only hid the impact of the NotPetya ransomware on their business but personally profited by selling off tens of millions of dollars of their own shares before the truth came out, a lawsuit filed by the delivery business’ own shareholders claims. More details.
Posted on 20 September 2019 4:17 am
Enea Qosmos Probe 2.1 enables advanced cyber threat detection and forensics
announced the availability of the Qosmos Probe 2.1, the award-winning Deep Packet Inspection (DPI) sensor that enables advanced cyber threat detection and forensics. Integrated into open source and commercial cybersecurity solutions, the Qosmos Probe DPI sensor enables the deep traffic intelligence.... More details.
Posted on 20 September 2019 2:33 am
Thinkful Resets All User Passwords After Security Breach
Online developer bootcamp company Thinkful is sending out email notifications that state an unauthorized user was able to gain access to employee accounts credentials. Due to this, they are requiring all users to reset their passwords the next time they login. More details.
Posted on 20 September 2019 1:32 am
U.S. military presenting range of options to Trump on Iran
The Pentagon will present a broad range of military options to President Donald Trump on Friday as he considers how to respond to what administration officials say was an unprecedented Iranian attack on Saudi Arabia's oil industry. In a White House meeting, the president will be presented with a.... More details.
Posted on 19 September 2019 11:08 pm
Phony IRS Emails Promise Refund, But Deliver Botnet Instead
A new phishing email campaign promises to deliver a tax refund, but instead helps spread a botnet called Amadey, according to researchers at the security firm These phishing emails are primarily targeting taxpayers in the U.S., enticing them to click on a malicious document purportedly sent by the.... More details.
Posted on 19 September 2019 9:54 pm
Barracuda brings MSP business to AU With a local team spread across Sydney, Melbourne and Brisbane.
Andrew Huntley, Barracuda. Nico Arboleda Cloud security vendor Barracuda has launched its Barracuda MSP business in Australia and New Zealand to support its MSP partners in the region. The company also appointed a local team spread out across Sydney, Melbourne and Brisbane to run the business, with.... More details.
Posted on 19 September 2019 9:35 pm
Phishing Emails Deliver Amadey Malware to U.S. Taxpayers
A recently observed phishing campaign is targeting taxpayers in the United States in an attempt to infect their machines with a piece of malware named Amadey, Cofense security researchers have discovered. Relatively new and fairly simple, the Amadey botnet is available for hire for cybercriminals. More details.
Posted on 19 September 2019 7:01 pm
Important Updates to DHS’s CDM Program Help Ensure Programs Effectiveness
IT Security news and articles about information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, breaches. The Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program is a key component of the federal government’s cybersecurity posture. More details.
Posted on 19 September 2019 6:50 pm
Google Releases Security Updates for Chrome
IT Security news and articles about information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, breaches. Original release date: September 19, 2019. Google has released Chrome 77.0.3865.90 for Windows, Mac, and Linux. More details.
Posted on 19 September 2019 6:50 pm
WannaCry still lurking around, India also affected: Sophos
The WannaCry ransomware that created mayhem in 2017 has not died out and security software firm Sophos stopped a whopping 4.3 million infection attempts globally in August 2019, out of which 8.8 per cent were located in India, the firm revealed on Thursday. More details.
Posted on 19 September 2019 5:53 pm
Magecart Hackers Target Mobile Users of Hotel Websites
A Magecart threat actor has compromised the websites of two hotel chains to inject scripts targeting Android and iOS users, Trend Micro’s security researchers warn. This is experimental project, which search automatically antivirus, security, malware, etc. news and alerts. If you want add/delete source or post, let us know . More details.
Posted on 19 September 2019 5:32 pm
Universities warned to brace for cyberattacks
The UK’s cybersecurity agency also outlines precautions that academia should take to mitigate risks. The UK’s cybersecurity agency also outlines precautions that academia should take to mitigate risks. The United Kingdom’s National Cyber Security Centre (NCSC) has issued a stark warning to.... More details.
Posted on 19 September 2019 5:11 pm
Facebook Removes Hundreds of Fake Accounts
Majority of Phony Postings Originated in Ukraine and Iraq September 19, 2019 Fake pages that Facebook has recently removed (Image: Facebook) announced this week that it has removed hundreds of fake user accounts and pages after an investigation determined they were used to spread misinformation about local politics and events. More details.
Posted on 19 September 2019 4:22 pm
FS-ISAC and Europol Partner to Combat Cross-Border Cybercrime
The Financial Services Information Sharing and Analysis Center (FS-ISAC) and Europol’s European Cybercrime Centre (EC3) today announced a partnership to combat cybercrime within the European financial services sector. The purpose of the MOU will be to facilitate and enhance the law enforcement.... More details.
Posted on 19 September 2019 3:31 pm
Air Force making final preps to reform officer promotion system Air Force
The Air Force is putting the finishing touches on a proposed overhaul of its personnel management system for officers. They would be the service’s first large-scale reforms since the 1980s, and the goal, by the end of the process, is a system that promotes officers who genuinely exhibit the leadership characteristics the Air Force says it values. More details.
Posted on 19 September 2019 3:07 pm
Cryptoming Botnet Smominru Returns With a Vengeance
By monitoring the server, Guardicore was able to study infection patterns and gauge the botnet's campaign. What they found was a botnet with a wide reach that included 4,900 infected networks; it averaged about 4,700 infections per day in August. The researchers also noted that the botnet infected.... More details.
Posted on 19 September 2019 3:05 pm
Fileless Cryptocurrency-Miner GhostMiner Weaponizes WMI Objects, Kills Other Cryptocurrency-Mining Payloads
By Carl Maverick Pascual (Threats Analyst) Cybercriminals continue to use cryptocurrency-mining malware to abuse computing resources for profit. As early as 2017 , we have also observed how they have applied fileless techniques to make detection and monitoring more difficult. More details.
Posted on 19 September 2019 2:21 pm
Huawei's new phone lacks Google access after U.S. ban
FRANKFURT (Reuters) - Huawei [HWT.UL] launches what could be the world’s smartest 5G phone on Thursday, but its fate in Europe will hang on whether customers will buy a device lacking access to software and apps supported by Google. FILE PHOTO: The Huawei logo is pictured at the IFA consumer tech fair in Berlin, Germany, September 5, 2019. More details.
Posted on 19 September 2019 11:31 am
Supply Chain Attacks: Hackers Hit IT Providers
, via Flickr/CC) My Photo Journeys Any attacker able to hack into an IT or managed service provider can gain access not only to that organization's network, but potentially also the network of every one of its customers. So it's no surprise that criminal groups and nation-state attackers alike.... More details.
Posted on 19 September 2019 11:22 am
State-sponsored espionage causing long-term damage to UK universities: NCSC
When I was at university (a long time ago) the Chinese had a different approach to gathering intellectual property. They would send students to study and research then those students would go back to China with their experience and knowledge, which seems fair. More details.
Posted on 19 September 2019 9:43 am
Mitsubishi Electric Europe B.V. smartRTU and INEA ME-RTU (Update A)
Posted on 10 September 2019 2:30 pm
CAN Bus Network Implementation in Avionics
Posted on 30 July 2019 1:00 pm
AA19-168A: Microsoft Operating Systems BlueKeep Vulnerability
Original release date: June 17, 2019. Summary. The Cybersecurity and Infrastructure Security Agency (CISA) is issuing this Activity Alert to provide information on a vulnerability, known as “BlueKeep,” that exists in the following Microsoft Windows Operating Systems (OSs), including both 32- and 64-bit versions, as well as all Service Pack versions: Windows 2000 Windows Vista Windows XP Windows 7 Windows Server 2003 Windows Server 2003 R2 Windows Server 2008 Windows Server 2008 R2 An attacker can exploit this vulnerability to take control of an affected system. Technical Details. BlueKeep (CVE-2019-0708) exists within the Remote Desktop Protocol (RDP) used by the Microsoft Windows OSs listed above. An attacker can exploit this vulnerability to perform remote code execution on an unprotected system. According to Microsoft, an attacker can send specially crafted packets to one of these operating systems that has RDP enabled.  After successfully sending the packets, the attacker would have the ability to perform a number of actions: adding accounts with full user rights; viewing, changing, or deleting data; or installing programs. This exploit, which requires no user interaction, must occur before authentication to be successful. BlueKeep is considered “wormable” because malware exploiting this vulnerability on a system could propagate to other vulnerable systems; thus, a BlueKeep exploit would be capable of rapidly spreading in a fashion similar to the WannaCry malware attacks of 2017.  CISA has coordinated with external stakeholders and determined that Windows 2000 is vulnerable to BlueKeep. Mitigations. CISA encourages users and administrators review the Microsoft Security Advisory  and the Microsoft Customer Guidance for CVE-2019-0708  and apply the appropriate mitigation measures as soon as possible: Install available patches... More details.
Posted on 17 June 2019 1:37 pm
DICOM Standard in Medical Devices
Posted on 11 June 2019 4:15 pm
AA19-122A: New Exploits for Unsecure SAP Systems
Original release date: May 2, 2019 | Last revised: May 3, 2019. Summary. The Cybersecurity and Infrastructure Security Agency (CISA) is issuing this activity alert in response to recently disclosed exploits that target unsecure configurations of SAP components. [ 1 ] Technical Details. A presentation at the April 2019 Operation for Community Development and Empowerment (OPCDE) cybersecurity conference describes SAP systems with unsecure configurations exposed to the internet. Typically, SAP systems are not intended to be exposed to the internet as it is an untrusted network. Malicious cyber actors can attack and compromise these unsecure systems with publicly available exploit tools, termed “10KBLAZE.” The presentation details the new exploit tools and reports on systems exposed to the internet. SAP Gateway ACL The SAP Gateway allows non-SAP applications to communicate with SAP applications. If SAP Gateway access control lists (ACLs) are not configured properly (e.g., gw/acl_mode = 0), anonymous users can run operating system (OS) commands.[ 2 ] According to the OPCDE presentation, about 900 U.S. internet-facing systems were detected in this vulnerable condition. SAP Router secinfo The SAP router is a program that helps connect SAP systems with external networks. The default secinfo configuration for a SAP Gateway allows any internal host to run OS commands anonymously. If an attacker can access a misconfigured SAP router, the router can act as an internal host and proxy the attacker’s requests, which may result in remote code execution. According to the OPCDE presentation, 1,181 SAP routers were exposed to the internet. It is unclear if the exposed systems were confirmed to be vulnerable or were simply running the SAP router service. SAP Message Server SAP Message Servers act as brokers between Application Servers (AS). By default, Message Servers listen on a port 39XX and have no authentication... More details.
Posted on 2 May 2019 10:54 pm
AA19-024A: DNS Infrastructure Hijacking Campaign
Original release date: January 24, 2019 | Last revised: February 13, 2019. Summary. The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks. See the following links for downloadable copies of open-source indicators of compromise (IOCs) from the sources listed in the References section below: IOCs (.csv) IOCs (.stix) Note: these files were last updated February 13, 2019, to remove the following three non-malicious IP addresses: 188.8.131.52 184.108.40.206 220.127.116.11 Technical Details. Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services. The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records. Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data... More details.
Posted on 24 January 2019 8:01 pm
AA18-337A: SamSam Ransomware
Original release date: December 3, 2018. Summary. The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) are issuing this activity alert to inform computer network defenders about SamSam ransomware, also known as MSIL/Samas.A. Specifically, this product shares analysis of vulnerabilities that cyber actors exploited to deploy this ransomware. In addition, this report provides recommendations for prevention and mitigation. The SamSam actors targeted multiple industries, including some within critical infrastructure. Victims were located predominately in the United States, but also internationally. Network-wide infections against organizations are far more likely to garner large ransom payments than infections of individual systems. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms. The actors exploit Windows servers to gain persistent access to a victim’s network and infect all reachable hosts. According to reporting from victims in early 2016, cyber actors used the JexBoss Exploit Kit to access vulnerable JBoss applications. Since mid-2016, FBI analysis of victims’ machines indicates that cyber actors use Remote Desktop Protocol (RDP) to gain persistent access to victims’ networks. Typically, actors either use brute force attacks or stolen login credentials. Detecting RDP intrusions can be challenging because the malware enters through an approved access point. After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization. While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection... More details.
Posted on 3 December 2018 4:18 pm
TA18-331A: 3ve – Major Online Ad Fraud Operation
Original release date: November 27, 2018. Systems Affected. Microsoft Windows Overview. This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). DHS and FBI are releasing this TA to provide information about a major online ad fraud operation—referred to by the U.S. Government as "3ve"—involving the control of over 1.7 million unique Internet Protocol (IP) addresses globally, when sampled over a 10-day window. Description. Online advertisers desire premium websites on which to publish their ads and large numbers of visitors to view those ads. 3ve created fake versions of both (websites and visitors), and funneled the advertising revenue to cyber criminals. 3ve obtained control over 1.7 million unique IPs by leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as well as Border Gateway Protocol-hijacked IP addresses. Boaxxe/Miuref Malware Boaxxe malware is spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Boaxxe botnet is primarily located in a data center. Hundreds of machines in this data center are browsing to counterfeit websites. When these counterfeit webpages are loaded into a browser, requests are made for ads to be placed on these pages. The machines in the data center use the Boaxxe botnet as a proxy to make requests for these ads. A command and control (C2) server sends instructions to the infected botnet computers to make the ad requests in an effort to hide their true data center IPs. Kovter Malware Kovter malware is also spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Kovter botnet runs a hidden Chromium Embedded Framework (CEF) browser on the infected machine that the user cannot see. A C2 server tells the infected machine to visit counterfeit websites... More details.
Posted on 27 November 2018 5:09 pm
AA18-284A: Publicly Available Tools Seen in Cyber Incidents Worldwide
Original release date: October 11, 2018. Summary. This report is a collaborative research effort by the cyber security authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States.      In it we highlight the use of five publicly available tools, which have been used for malicious purposes in recent cyber incidents around the world. The five tools are: Remote Access Trojan: JBiFrost Webshell: China Chopper Credential Stealer: Mimikatz Lateral Movement Framework: PowerShell Empire C2 Obfuscation and Exfiltration: HUC Packet Transmitter To aid the work of network defenders and systems administrators, we also provide advice on limiting the effectiveness of these tools and detecting their use on a network. The individual tools we cover in this report are limited examples of the types of tools used by threat actors. You should not consider this an exhaustive list when planning your network defense. Tools and techniques for exploiting networks and the data they hold are by no means the preserve of nation states or criminals on the dark web. Today, malicious tools with a variety of functions are widely and freely available for use by everyone from skilled penetration testers, hostile state actors and organized criminals, to amateur cyber criminals. The tools in this Activity Alert have been used to compromise information across a wide range of critical sectors, including health, finance, government, and defense. Their widespread availability presents a challenge for network defense and threat-actor attribution. Experience from all our countries makes it clear that, while cyber threat actors continue to develop their capabilities, they still make use of established tools and techniques. Even the most sophisticated threat actor groups use common, publicly available tools to achieve their objectives. Whatever these objectives may be, initial compromises of victim systems are often established through exploitation of common security weaknesses... More details.
Posted on 11 October 2018 3:19 pm
TA18-276B: Advanced Persistent Threat Activity Exploiting Managed Service Providers
Original release date: October 3, 2018. Systems Affected. Network Systems Overview. The National Cybersecurity and Communications Integration Center (NCCIC) is aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs). Since May 2016, APT actors have used various tactics, techniques, and procedures (TTPs) for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several U.S. critical infrastructure sectors, including Information Technology (IT), Energy, Healthcare and Public Health, Communications, and Critical Manufacturing. This Technical Alert (TA) provides information and guidance to assist MSP customer network and system administrators with the detection of malicious activity on their networks and systems and the mitigation of associated risks. This TA includes an overview of TTPs used by APT actors in MSP network environments, recommended mitigation techniques, and information on reporting incidents. Description. MSPs provide remote management of customer IT and end-user systems. The number of organizations using MSPs has grown significantly over recent years because MSPs allow their customers to scale and support their network environments at a lower cost than financing these resources internally. MSPs generally have direct and unfettered access to their customers’ networks, and may store customer data on their own internal infrastructure. By servicing a large number of customers, MSPs can achieve significant economies of scale. However, a compromise in one part of an MSP’s network can spread globally, affecting other customers and introducing risk. Using an MSP significantly increases an organization’s virtual enterprise infrastructure footprint and its number of privileged accounts, creating a larger attack surface for cyber criminals and nation-state actors. By using compromised legitimate MSP credentials (e... More details.
Posted on 3 October 2018 11:47 am
TA18-276A: Using Rigorous Credential Control to Mitigate Trusted Network Exploitation
Original release date: October 3, 2018. Systems Affected. Network Systems Overview. This technical alert addresses the exploitation of trusted network relationships and the subsequent illicit use of legitimate credentials by Advanced Persistent Threat (APT) actors. It identifies APT actors' tactics, techniques, and procedures (TTPs) and describes the best practices that could be employed to mitigate each of them. The mitigations for each TTP are arranged according to the National Institute of Standards and Technology (NIST) Cybersecurity Framework core functions of Protect, Detect, Respond, and Recover. Description. APT actors are using multiple mechanisms to acquire legitimate user credentials to exploit trusted network relationships in order to expand unauthorized access, maintain persistence, and exfiltrate data from targeted organizations. Suggested best practices for administrators to mitigate this threat include auditing credentials, remote-access logs, and controlling privileged access and remote access. Impact. APT actors are conducting malicious activity against organizations that have trusted network relationships with potential targets, such as a parent company, a connected partner, or a contracted managed service provider (MSP). APT actors can use legitimate credentials to expand unauthorized access, maintain persistence, exfiltrate data, and conduct other operations, while appearing to be authorized users. Leveraging legitimate credentials to exploit trusted network relationships also allows APT actors to access other devices and other trusted networks, which affords intrusions a high level of persistence and stealth. Solution. Recommended best practices for mitigating this threat include rigorous credential and privileged-access management, as well as remote-access control, and audits of legitimate remote-access logs. While these measures aim to prevent the initial attack vectors and the spread of malicious activity, there is no single proven threat response... More details.
Posted on 3 October 2018 11:00 am
TA18-275A: HIDDEN COBRA – FASTCash Campaign
Original release date: October 2, 2018 | Last revised: December 21, 2018. Systems Affected. Retail Payment Systems Overview. This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS), the Department of the Treasury (Treasury), and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS, Treasury, and FBI identified malware and other indicators of compromise (IOCs) used by the North Korean government in an Automated Teller Machine (ATM) cash-out scheme—referred to by the U.S. Government as “FASTCash.” The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra . FBI has high confidence that HIDDEN COBRA actors are using the IOCs listed in this report to maintain a presence on victims’ networks to enable network exploitation. DHS, FBI, and Treasury are distributing these IOCs to enable network defense and reduce exposure to North Korean government malicious cyber activity. This TA also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the malware families associated with FASTCash, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation. NCCIC conducted analysis on 10 malware samples related to this activity and produced a Malware Analysis Report (MAR). MAR-10201537, HIDDEN COBRA FASTCash-Related Malware, examines the tactics, techniques, and procedures observed in the malware. Visit the MAR-10201537 page for the report and associated IOCs. Description. Since at least late 2016, HIDDEN COBRA actors have used FASTCash tactics to target banks in Africa and Asia... More details.
Posted on 2 October 2018 3:45 pm
TA18-201A: Emotet Malware
Original release date: July 20, 2018. Systems Affected. Network Systems Overview. Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors. This joint Technical Alert (TA) is the result of Multi-State Information Sharing & Analysis Center (MS-ISAC) analytic efforts, in coordination with the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC). Description. Emotet continues to be among the most costly and destructive malware affecting SLTT governments. Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate. Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment. Emotet is disseminated through malspam (emails containing malicious attachments or links) that uses branding familiar to the recipient; it has even been spread using the MS-ISAC name. As of July 2018, the most recent campaigns imitate PayPal receipts, shipping notifications, or “past-due” invoices purportedly from MS-ISAC. Initial infection occurs when a user opens or clicks the malicious download link, PDF, or macro-enabled Microsoft Word document included in the malspam... More details.
Posted on 20 July 2018 9:24 pm
Meltdown and Spectre Vulnerabilities (Update J)
Posted on 11 January 2018 5:51 pm
Posted on 7 December 2017 9:11 pm
Eaton ELCSoft Vulnerabilities
Posted on 4 August 2017 7:11 pm
CAN Bus Standard Vulnerability
Posted on 28 July 2017 7:34 pm
Posted on 25 July 2017 4:45 pm
Petya Malware Variant (Update C)
Posted on 30 June 2017 9:09 pm
Indicators Associated With WannaCry Ransomware (Update I)
Posted on 15 May 2017 11:16 pm